none
Increase LAN Manager Authentication to “Send NTLMv2 response only\refuse LM

    Question

  • I want to implied  LAN Manager Authentication to  “Send NTLMv2 response only\refuse LM in my domain. But before implementing i want to check what are the application,devices,clients who are still using the old authentication protocol. What would be best way to figure out that?

    Tuesday, January 31, 2017 9:15 AM

Answers

  • Hi,
    In my opinion, the following 3 methods may be helpful to figure out what is still use the protocol:
    1. Apply that policy with "Send NTLMv2
    response only\refuse LM & NTLM" and these applications who use NTLM will
    show up, as they fail and could be viewed now.
    2. As Mahdi suggested, ask the manufacture of those applications to tell
    3. Use netmon to capture the packets if possible since most of the authentication are using Kerberos, so large netmon cap may be created before we can found something out of it.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, February 2, 2017 8:37 AM
    Moderator
  • You could help identify the "who and what" is using the old NTLM protocol by enabling NTLM auditing via a GPO.  To do this, please see the following reference:  Using Group Policies to audit NTLM traffic.  This method will meet your goals before implementing and without incurring any service disruption.  From the article:  "This procedural topic describes the available Group Policies and security policies that can be used to discover NTLM traffic in your system and domain and shows you how to assess NTLM activity. For every policy to restrict NTLM, there are policies or options to first audit NTLM traffic. This permits you to log and analyze authentication activity between clients and member servers or within a domain before restricting the traffic and potentially causing service interruptions."  Good luck to you.

    Best Regards, Todd Heron | Active Directory Consultant


    Friday, February 3, 2017 1:12 PM

All replies

  • What would be best way to figure out that?

    By having an identical test domain which has the application in some test workstations. Or you can start testing in weekends. Otherwise you should call the vendor to see if they will fail or not once you block LM. That is my idea.


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Tuesday, January 31, 2017 11:09 AM
    Moderator
  • Calling multiple vendors and application owner will not be a best go after making their application to fail. I want a way to figure out who are still using that old protocol before moving out to call them.Is network trace will work or something like that
    Wednesday, February 1, 2017 8:02 AM
  • Hi,
    In my opinion, the following 3 methods may be helpful to figure out what is still use the protocol:
    1. Apply that policy with "Send NTLMv2
    response only\refuse LM & NTLM" and these applications who use NTLM will
    show up, as they fail and could be viewed now.
    2. As Mahdi suggested, ask the manufacture of those applications to tell
    3. Use netmon to capture the packets if possible since most of the authentication are using Kerberos, so large netmon cap may be created before we can found something out of it.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, February 2, 2017 8:37 AM
    Moderator
  • You could help identify the "who and what" is using the old NTLM protocol by enabling NTLM auditing via a GPO.  To do this, please see the following reference:  Using Group Policies to audit NTLM traffic.  This method will meet your goals before implementing and without incurring any service disruption.  From the article:  "This procedural topic describes the available Group Policies and security policies that can be used to discover NTLM traffic in your system and domain and shows you how to assess NTLM activity. For every policy to restrict NTLM, there are policies or options to first audit NTLM traffic. This permits you to log and analyze authentication activity between clients and member servers or within a domain before restricting the traffic and potentially causing service interruptions."  Good luck to you.

    Best Regards, Todd Heron | Active Directory Consultant


    Friday, February 3, 2017 1:12 PM
  • You could hep identify the "who and what" is using the old NTLM protocol by enabling NTLM auditing via a GPO.  To do this, please see the following reference:  Using Group Policies to audit NTLM traffic.  This method will meet your goals before implementing and without incurring any service disruption.  From the article:  "This procedural topic describes the available Group Policies and security policies that can be used to discover NTLM traffic in your system and domain and shows you how to assess NTLM activity. For every policy to restrict NTLM, there are policies or options to first audit NTLM traffic. This permits you to log and analyze authentication activity between clients and member servers or within a domain before restricting the traffic and potentially causing service interruptions."  Good luck to you.

    Best Regards, Todd Heron | Active Directory Consultant

    Sounds like a good one :)

    I will investigate on that too.


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Sunday, February 5, 2017 4:13 AM
    Moderator
  • I am trying to figure it out using the network traces. Once i will found the result will update this thread meanwhile any other solution is very much welcome.
    Thursday, February 23, 2017 9:23 AM